November 4, 2016

Federal Energy Regulatory Commission’s Unclassified Cybersecurity Program – 2016 

The Federal Information Security Modernization Act of 2014 established requirements for Federal agencies to develop, implement, and manage agency-wide information security programs, including periodic assessment of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency.  In addition, the Federal Information Security Modernization Act of 2014 mandated that an independent evaluation be performed annually by the Office of Inspector General to determine the effectiveness of the agency’s information security program and practices.  The Office of Inspector General contracted with KPMG LLP (KPMG) to perform an assessment of the Federal Energy Regulatory Commission’s (Commission) unclassified cybersecurity program.  This report presents the results of that evaluation for fiscal year 2016.

Fiscal year 2016 audit work, performed by KPMG, found that the Commission had implemented the tested attributes of its cybersecurity program in a manner that was generally consistent with requirements established by the National Institute of Standards and Technology, the Office of Management and Budget, and the Department of Homeland Security.  In particular, testing on a sample of targets within the Commission’s unclassified internal network, including servers and workstations, found that management, operating, and technical controls implemented within that environment were effective. 

Topic: Management & Administration